Field
Embodiments of the present invention generally relate to multi-factor user authentication. In particular, embodiments of the present invention relate to a multi-factor authentication approach that makes use of push-service based resource access verification and seamless One-Time Password (OTP) generation based validation.
Description of the Related Art
Traditional (static) password-based authentication, which makes use of something a person knows (e.g., a username, a personal identification number (PIN) and/or other static password) to authenticate an individual, has been in use for a long time. Traditional password-based authentication has several vulnerabilities, including vulnerability to replay attacks, especially when user credentials are transmitted via a public network, such as the Internet, for example, in connection with authenticating a user prior to allowing the user access to a particular network resource (e.g., server/application/device/service). In a network environment in which login credentials are sent by a web browser/application over a network for authentication by a web server/authentication server, intruders/hackers can intercept the login credentials using techniques such as phishing or man-in-the-middle attacks. Several attempts have been made to overcome the problem of static password-based user authentication and two-factor authentication (2FA) or multi-factor authentication (MFA) mechanisms, which use multiple components (e.g., something that the user knows, something that the user possesses (e.g., a bank card, a key, a Universal Serial Bus (USB) stick containing a secret token or other physical object) and/or something that is inseparable from the user (e.g., fingerprint, eye iris, voice, typing speed, key press patterns and/or other biometrics or characteristics of the user)) to confirm the identity of the user.
Two-factor or multi-factor authentication may make use of a one-time password (OTP), which is generated each time a user authentication is required, and which may be used in addition to a traditional (static) password. In existing solutions, an OTP is generated either by a hardware token or by a software-based OTP generator. A hardware token based OTP generator typically requires the user to carry the token everywhere, and is therefore not the most convenient solution for users. To remove the burden of carrying a hardware token, software-based OTP generators have been proposed, which are generally installed on a user device (e.g., a smartphone) to generate a unique OTP as needed. In some solutions, OTPs are generated by an application server and sent to the user, who may receive the OTP through short message service (SMS), email, a phone call or other means, and provide the OTP in addition to or instead of a static password for user authentication.
In a typical two-factor authentication, a user provides his/her login credentials (username and password), also interchangeably referred to as user credentials, and then provides the OTP for user authentication to a web/authentication server, which verifies the entered password and the OTP to authenticate the user. In a typical scenario, user authentication is performed using a web-browser or a web-application, which allows the user to manually enter the user credentials and the OTP to be authenticated for obtaining access to a network resource.
Common problems with existing solutions for user authentication include security, ease of use, privacy, and deployment issues. For instance, with OTP-based two-factor user authentication, users face two main issues, namely security and ease of use. OTP based two-factor authentication is not very easy to use, especially when the software-based OTP generator is present on the same device (e.g., a smartphone) that is attempting to access a network resource requiring user authentication. If the user authentication is being processed through a web application or a web browser, for example, the user needs to either copy the OTP from the generator application or remember the OTP, and then paste/enter the OTP into the web application or web browser. This may require the user to flip/switch between the OTP generator application and the web application, thereby creating usability issues. For example, such switching among multiple applications makes it difficult (or requires additional time) to access network resources, such as web servers, databases, email, web portals, among others that require 2FA. Systems requiring users to manually enter OTPs are therefore not convenient/preferred by users.
Conventional 2FA solutions where the end user enters the OTP into the web application or web browser are vulnerable to phishing attacks, since a well-disguised malicious site can easily fool an end user into entering their credentials, which can then be used by the hacker to gain access to the legitimate end user's account. Therefore, it is not desirable to require the end user to enter the OTP.
Furthermore, in two-factor authentication scenarios in which the OTP generator also exists on the same device as is being used for the user authentication, there is a risk of malware attacks since the authentication credentials are being generated on the same device. It is therefore desirable for OTP generation to be secure and transparent to the user.
In view of the foregoing limitations/disadvantages of existing solutions, there is a need for systems and methods that facilitate multi-factor authentication while addressing various limitations/disadvantages.